Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
qpid-java-broker-8.0.6, qpid-java-broker-9.0.0, qpid-java-broker-9.1.0, qpid-java-broker-9.2.0
-
None
Description
Indraneel Dey reported on mailing list:
Hello,
Our application uses QPID Broker-J and one of our users recently made us
aware of an XSS vulnerability. The application seems to be vulnerable to a
"reflected XSS attack" for the Management channel.Sending a request in the form of
"
Unknown macro: {management-endpoint}
/some-script-containing-alert" results in a response
of the form of "Unknown path 'some-script-containing-alert'. Please read
the api docs at ...". The part of the URL, "some-script-containing-alert",
can contain any malicious script which is reflected in the response as is,
and can be exploited for an XSS attack.I looked at
QPID-6022but the fix therein seems to have been insufficient.
It seems that similar fixes are also required in following files for both
"Unknown File" and "Unknown Path":*
broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/RootServlet.java
*
broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/DefinedFileServlet.javaThank you for your attention to this matter
regards,
Indraneel Dey